Bug 2259475 (CVE-2024-1459)

Summary: CVE-2024-1459 undertow: directory traversal vulnerability
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, anstephe, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, carnil, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, fjuma, gmalinko, gsmet, ibek, ivassile, iweiss, james, janstey, jmartisk, jrokos, kverlaen, lgao, lthon, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, olubyans, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rowaters, rruss, rstancel, rsvoboda, sbiarozk, sdouglas, smaestri, sthorger, tom.jenkinson, tqvarnst
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2259048    

Description Robb Gatica 2024-01-22 04:41:04 UTC 
A potential directory traversal vulnerability in JBoss EAP was discovered. Initial tests determined that appending "/..;/" to a request will return the JBoss EAP welcome page from the / directory.
Comment 3 Salvatore Bonaccorso 2024-03-10 14:30:17 UTC 
Is this issue fixed upstream in undertow? Is there an upstream fixing commit and/or upstream issue to track this?
Comment 4 James Howe 2024-04-16 14:15:41 UTC 
This is apparently fixed in 2.3.12. I don't know why RedHat never communicates properly about security issues.
https://issues.redhat.com/browse/UNDERTOW-2339